- Add ip-transparent config option for bind to non-local addresses.

git-svn-id: file:///svn/unbound/trunk@3369 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-23 16:20:26 -05:00 · 2015-03-19 09:50:35 +00:00 · 2015-03-19 09:50:35 +00:00 · 77088b12ff
commit 77088b12ff
parent e9e1b464a6
14 changed files with 1975 additions and 1879 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -357,7 +357,8 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 		}
 		/* open fd */
-		fd = create_tcp_accept_sock(res, 1, &noproto, 0);
+		fd = create_tcp_accept_sock(res, 1, &noproto, 0,
 			cfg->ip_transparent);
 		freeaddrinfo(res);
 	}
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
 19 March 2015: Wouter
 	- Add ip-transparent config option for bind to non-local addresses.
 17 March 2015: Wouter
 	- Use reallocarray for integer overflow protection, patch submitted
 	  by Loganaden Velvindron.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -87,6 +87,10 @@ server:
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -267,6 +267,16 @@ it then attempts to open the port and passes the option if it was available
 at compile time, if that works it is used, if it fails, it continues
 silently (unless verbosity 3) without the option.
 .TP
 .B ip\-transparent: \fI<yes or no>
 If yes, then use IP_TRANSPARENT socket option on sockets where unbound
 is listening for incoming traffic.  Default no.  Allows you to bind to
 non\-local interfaces.  For example for non\-existant IP addresses that
 are going to exist later on, with host failover configuration.  This is
 a lot like interface\-automatic, but that one services all interfaces
 and with this option you can select which (future) interfaces unbound
 provides service on.  This option needs unbound to be started with root
 permissions on some systems.
 .TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@ -96,10 +96,10 @@ verbose_print_addr(struct addrinfo *addr)
 int
 create_udp_sock(int family, int socktype, struct sockaddr* addr,
        socklen_t addrlen, int v6only, int* inuse, int* noproto,
-	int rcv, int snd, int listen, int* reuseport)
+	int rcv, int snd, int listen, int* reuseport, int transparent)
 {
 	int s;
-#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU)
+#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU)  || defined(IP_TRANSPARENT)
 	int on=1;
 #endif
 #ifdef IPV6_MTU
@ -177,6 +177,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 #else
 		(void)reuseport;
 #endif /* defined(SO_REUSEPORT) */
 #ifdef IP_TRANSPARENT
 		if (transparent &&
 		    setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
 		    (socklen_t)sizeof(on)) < 0) {
 			log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
 			strerror(errno));
 		}
 #endif /* IP_TRANSPARENT */
 	}
 	if(rcv) {
 #ifdef SO_RCVBUF
@ -472,10 +480,10 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 int
 create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
-	int* reuseport)
+	int* reuseport, int transparent)
 {
 	int s;
-#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY)
+#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT)
 	int on = 1;
 #endif /* SO_REUSEADDR || IPV6_V6ONLY */
 	verbose_print_addr(addr);
@ -552,6 +560,14 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 #else
 	(void)v6only;
 #endif /* IPV6_V6ONLY */
 #ifdef IP_TRANSPARENT
 	if (transparent &&
 	    setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
 	    (socklen_t)sizeof(on)) < 0) {
 		log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
 			strerror(errno));
 	}
 #endif /* IP_TRANSPARENT */
 	if(bind(s, addr->ai_addr, addr->ai_addrlen) != 0) {
 #ifndef USE_WINSOCK
 		/* detect freebsd jail with no ipv6 permission */
@ -656,7 +672,7 @@ create_local_accept_sock(const char *path, int* noproto)
 static int
 make_sock(int stype, const char* ifname, const char* port, 
 	struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
-	int* reuseport)
+	int* reuseport, int transparent)
 {
 	struct addrinfo *res = NULL;
 	int r, s, inuse, noproto;
@ -684,14 +700,15 @@ make_sock(int stype, const char* ifname, const char* port,
 		s = create_udp_sock(res->ai_family, res->ai_socktype,
 			(struct sockaddr*)res->ai_addr, res->ai_addrlen,
 			v6only, &inuse, &noproto, (int)rcv, (int)snd, 1,
-			reuseport);
+			reuseport, transparent);
 		if(s == -1 && inuse) {
 			log_err("bind: address already in use");
 		} else if(s == -1 && noproto && hints->ai_family == AF_INET6){
 			*noip6 = 1;
 		}
 	} else	{
-		s = create_tcp_accept_sock(res, v6only, &noproto, reuseport);
+		s = create_tcp_accept_sock(res, v6only, &noproto, reuseport,
 			transparent);
 		if(s == -1 && noproto && hints->ai_family == AF_INET6){
 			*noip6 = 1;
 		}
@ -704,7 +721,7 @@ make_sock(int stype, const char* ifname, const char* port,
 static int
 make_sock_port(int stype, const char* ifname, const char* port, 
 	struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
-	int* reuseport)
+	int* reuseport, int transparent)
 {
 	char* s = strchr(ifname, '@');
 	if(s) {
@ -726,10 +743,10 @@ make_sock_port(int stype, const char* ifname, const char* port,
 		(void)strlcpy(p, s+1, sizeof(p));
 		p[strlen(s+1)]=0;
 		return make_sock(stype, newif, p, hints, v6only, noip6,
-			rcv, snd, reuseport);
+			rcv, snd, reuseport, transparent);
 	}
 	return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd,
-		reuseport);
+		reuseport, transparent);
 }
 /**
@ -823,19 +840,20 @@ set_recvpktinfo(int s, int family)
 * @param ssl_port: ssl service port number
 * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
 * 	set to false on exit if reuseport failed due to no kernel support.
 * @param transparent: set IP_TRANSPARENT socket option.
 * @return: returns false on error.
 */
 static int
 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
 	struct addrinfo *hints, const char* port, struct listen_port** list,
-	size_t rcv, size_t snd, int ssl_port, int* reuseport)
+	size_t rcv, size_t snd, int ssl_port, int* reuseport, int transparent)
 {
 	int s, noip6=0;
 	if(!do_udp && !do_tcp)
 		return 0;
 	if(do_auto) {
 		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
-			&noip6, rcv, snd, reuseport)) == -1) {
+			&noip6, rcv, snd, reuseport, transparent)) == -1) {
 			if(noip6) {
 				log_warn("IPv6 protocol not available");
 				return 1;
@ -862,7 +880,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	} else if(do_udp) {
 		/* regular udp socket */
 		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
-			&noip6, rcv, snd, reuseport)) == -1) {
+			&noip6, rcv, snd, reuseport, transparent)) == -1) {
 			if(noip6) {
 				log_warn("IPv6 protocol not available");
 				return 1;
@ -883,7 +901,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			atoi(strchr(ifname, '@')+1) == ssl_port) ||
 			(!strchr(ifname, '@') && atoi(port) == ssl_port));
 		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
-			&noip6, 0, 0, reuseport)) == -1) {
+			&noip6, 0, 0, reuseport, transparent)) == -1) {
 			if(noip6) {
 				/*log_warn("IPv6 protocol not available");*/
 				return 1;
@ -1039,7 +1057,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport)) {
+				cfg->ssl_port, reuseport,
 				cfg->ip_transparent)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -1050,7 +1069,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport)) {
+				cfg->ssl_port, reuseport,
 				cfg->ip_transparent)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -1063,7 +1083,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport)) {
+				cfg->ssl_port, reuseport,
 				cfg->ip_transparent)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -1074,7 +1095,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport)) {
+				cfg->ssl_port, reuseport,
 				cfg->ip_transparent)) {
 				listening_ports_free(list);
 				return NULL;
 			}
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -189,11 +189,12 @@ void listen_start_accept(struct listen_dnsport* listen);
 * 	set SO_REUSEADDR on it.
 * @param reuseport: if nonNULL and true, try to set SO_REUSEPORT on
 * 	listening UDP port.  Set to false on return if it failed to do so.
 * @param transparent: set IP_TRANSPARENT socket option.
 * @return: the socket. -1 on error.
 */
 int create_udp_sock(int family, int socktype, struct sockaddr* addr, 
 	socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv,
-	int snd, int listen, int* reuseport);
+	int snd, int listen, int* reuseport, int transparent);
 /**
 * Create and bind TCP listening socket
@ -202,10 +203,11 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr,
 * @param noproto: if error caused by lack of protocol support.
 * @param reuseport: if nonNULL and true, try to set SO_REUSEPORT on
 * 	listening UDP port.  Set to false on return if it failed to do so.
 * @param transparent: set IP_TRANSPARENT socket option.
 * @return: the socket. -1 on error.
 */
 int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
-	int* reuseport);
+	int* reuseport, int transparent);
 /**
 * Create and bind local listening socket
--- a/services/outside_network.c
+++ b/services/outside_network.c
@ -893,13 +893,13 @@ udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int port,
 		sa->sin6_port = (in_port_t)htons((uint16_t)port);
 		fd = create_udp_sock(AF_INET6, SOCK_DGRAM, 
 			(struct sockaddr*)addr, addrlen, 1, inuse, &noproto,
-			0, 0, 0, NULL);
+			0, 0, 0, NULL, 0);
 	} else {
 		struct sockaddr_in* sa = (struct sockaddr_in*)addr;
 		sa->sin_port = (in_port_t)htons((uint16_t)port);
 		fd = create_udp_sock(AF_INET, SOCK_DGRAM, 
 			(struct sockaddr*)addr, addrlen, 1, inuse, &noproto,
-			0, 0, 0, NULL);
+			0, 0, 0, NULL, 0);
 	}
 	return fd;
 }
--- a/util/config_file.c
+++ b/util/config_file.c
@ -156,6 +156,7 @@ config_create(void)
 	cfg->so_rcvbuf = 0;
 	cfg->so_sndbuf = 0;
 	cfg->so_reuseport = 0;
 	cfg->ip_transparent = 0;
 	cfg->num_ifs = 0;
 	cfg->ifs = NULL;
 	cfg->num_out_ifs = 0;
@ -373,6 +374,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_MEMSIZE("so-rcvbuf:", so_rcvbuf)
 	else S_MEMSIZE("so-sndbuf:", so_sndbuf)
 	else S_YNO("so-reuseport:", so_reuseport)
 	else S_YNO("ip-transparent:", ip_transparent)
 	else S_MEMSIZE("rrset-cache-size:", rrset_cache_size)
 	else S_POW2("rrset-cache-slabs:", rrset_cache_slabs)
 	else S_YNO("prefetch:", prefetch)
@ -627,6 +629,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_MEM(opt, "so-rcvbuf", so_rcvbuf)
 	else O_MEM(opt, "so-sndbuf", so_sndbuf)
 	else O_YNO(opt, "so-reuseport", so_reuseport)
 	else O_YNO(opt, "ip-transparent", ip_transparent)
 	else O_MEM(opt, "rrset-cache-size", rrset_cache_size)
 	else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs)
 	else O_YNO(opt, "prefetch-key", prefetch_key)
--- a/util/config_file.h
+++ b/util/config_file.h
@ -136,6 +136,8 @@ struct config_file {
 	size_t so_sndbuf;
 	/** SO_REUSEPORT requested on port 53 sockets */
 	int so_reuseport;
 	/** IP_TRANSPRENT socket option requested on port 53 sockets */
 	int ip_transparent;
 	/** number of interfaces to open. If 0 default all interfaces. */
 	int num_ifs;
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -226,6 +226,7 @@ interface-automatic{COLON}	{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
 so-rcvbuf{COLON}		{ YDVAR(1, VAR_SO_RCVBUF) }
 so-sndbuf{COLON}		{ YDVAR(1, VAR_SO_SNDBUF) }
 so-reuseport{COLON}		{ YDVAR(1, VAR_SO_REUSEPORT) }
 ip-transparent{COLON}		{ YDVAR(1, VAR_IP_TRANSPARENT) }
 chroot{COLON}			{ YDVAR(1, VAR_CHROOT) }
 username{COLON}			{ YDVAR(1, VAR_USERNAME) }
 directory{COLON}		{ YDVAR(1, VAR_DIRECTORY) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -194,7 +194,8 @@ extern int yydebug;
     VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 403,
     VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 404,
     VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 405,
-     VAR_HARDEN_ALGO_DOWNGRADE = 406
+     VAR_HARDEN_ALGO_DOWNGRADE = 406,
     VAR_IP_TRANSPARENT = 407
   };
 #endif
 /* Tokens.  */
@ -347,6 +348,7 @@ extern int yydebug;
 #define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 404
 #define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 405
 #define VAR_HARDEN_ALGO_DOWNGRADE 406
 #define VAR_IP_TRANSPARENT 407
@ -360,7 +362,7 @@ typedef union YYSTYPE
 /* Line 2058 of yacc.c  */
-#line 364 "util/configparser.h"
+#line 366 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
--- a/util/configparser.y
+++ b/util/configparser.y
@ -118,7 +118,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
-%token VAR_HARDEN_ALGO_DOWNGRADE
+%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -178,7 +178,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
 	server_so_reuseport | server_delay_close | server_unblock_lan_zones |
 	server_dns64_prefix | server_dns64_synthall |
-	server_infra_cache_min_rtt | server_harden_algo_downgrade
+	server_infra_cache_min_rtt | server_harden_algo_downgrade |
 	server_ip_transparent
 	;
 stubstart: VAR_STUB_ZONE
 	{
@ -621,6 +622,16 @@ server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG
        free($2);
    }
    ;
 server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG
    {
        OUTYY(("P(server_ip_transparent:%s)\n", $2));
        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
            yyerror("expected yes or no.");
        else cfg_parser->cfg->ip_transparent =
            (strcmp($2, "yes")==0);
        free($2);
    }
    ;
 server_edns_buffer_size: VAR_EDNS_BUFFER_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_edns_buffer_size:%s)\n", $2));